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Abstract 

We propose a relaxed privacy definition called random differential privacy (RDP). Differential privacy requires 
that adding any new observation to a database will have small effect on the output of the data-release procedure. 
Random differential privacy requires that adding a randomly drawn new observation to a database will have small 
effect on the output. We show an analog of the composition property of differentially private procedures which 
applies to our new definition. We show how to release an RDP histogram and we show that RDP histograms 
are much more accurate than histograms obtained using ordinary differential privacy. We finally show an analog 
of the global sensitivity framework for the release of functions under our privacy definition. 

1 Introduction 

Differential privacy (DP) ([5]) is a type of privacy guarantee that has become quite popular in the computer science 
literature. The advantage of differential privacy is that it gives a strong and mathematically rigorous guarantee. 
The disadvantage is that the strong privacy guarantee often comes at the expense of the statistical utility of the 
released information. We propose a weaker notion of privacy, called "random differential privacy" (RDP), under 
which it is possible to achieve better accuracy. 

The privacy guarantee provided by RDP represents a radical weakening of the ordinary differential privacy. This 
could be a cause for concern for those who want very strong privacy guarantees. Indeed, we are not suggesting the 
RDP should replace ordinary differential privacy. However, as we shall show in this paper (and has been observed 
many times in the past), differential privacy can lead to large information losses in some cases (see e.g., [§])• Thus, 
we feel there is great value in exploring weakened versions of differential privacy. In other words, we are proposing 
a new privacy definition as a way of exploring the privacy/ accuracy tradeoff. 

We begin by introducing ordinary differential privacy and setting up some notation. We then explore the 
lower limits for accuracy of differentially private techniques in the context of histograms. We introduce a concept 
which parallels minimaxity in statistics, and identify the minimax risk for a differentially private histogram. We 
describe an important subset of these minimax differentially private histograms which we show to have risk which 
is uniformly lower bounded at a rate which is linear in the dimension of the histogram. We then introduce our 
proposed relaxation to differential privacy, under which our technique enjoys the same minimax risk, but with a 
lower bound which depends only on the size of the support of the histogram (namely, the number of nonzero cells) . 
Thus we show that in the context of sparse histograms, the relaxation allows for a strictly better data release. We 
also demonstrate some important properties of our relaxation, such as an analog of the composition lemma. 

2 Differential Privacy (DP) 
2.1 Definition 

Let X — (Xi, . . . , X n ) E X n be an input database with n observations where X{ £ X. The goal is to produce some 
output Z G Z. For example the inputs may consist of database rows in which each column is a measurement of 
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an individual, and the output is the number of individuals having some property. Let Q n { ■ \X) be a conditional 
distribution for Z given X. Write X ~ X' if X. X' £ X n and X and X' differ in one coordinate. We say that X 
and X' are neighboring databases. Q 

We say Q n satisfies a differential privacy if, for all measurable B C Z and all X ~ X' G A"™, 

q w (zen|x) gQ 

-Q n (ZeB|*') lj 

The intuition is that, for small a > 0, the value of one individual's data has small effect on the output. We consider 
any DP algorithm to be a family of distributions Q„ over the output space Z. We index a family of distributions 
by n to show the size of the dataset. 

It has been shown by researchers in privacy that differential privacy provides a very strong guarantee. Essentially 
it means that whether or not one particular individual is entered in the database, has negligible effect on the output. 
The research in differential privacy is vast. A few key references are [S], [7], 0, [5], [3j and references therein. 



2.2 Noninteractive Privacy and Histograms 

Much research on differential privacy focuses on the case where Z is a response to some query such as "what is 
the mean of the data." A simple way to achieve differential privacy in that case is to add some noise to the mean 
of X where the noise has a Laplace distribution. The user may send a sequence of such queries. This is called 
interactive privacy. We instead focus on the noninteractive privacy where the goal is to output a whole database 
(or a "synthetic dataset") Z = (Z\, . . . , Zn). Then the user is not restricted to a small number of queries. 

One way to release a private database is to first release a privatized histogram. We can then draw an arbitrarily 
large sample Z = (Z±, . . . , Zn) from the histogram. It is easy to show that if the histogram satisfies DP then Z 
also satisfies DP. Hence, in the rest of the paper, we focus on constructing a private histogram. 

We consider privatization mechanisms which are permutation invariant with respect to their inputs (i.e., those 
distributions which treat the values Xi as a set rather than a vector) in the context of histograms this appears to 
be a very mild restriction. 

We partition the sample space X into k cells (or bins) {£?j}j =1 [^] We consider the input to be a lattice point 
in the fc-simplex, by taking the function: 6 n (xi, . . . , x n ) = {9\, . . . , 9k), 0j — - Yn=i ^-i x i Bj}. The image of this 
mapping = 9 n (X n ) is the set of lattice points in the simplex which correspond to histograms of n observations 
in k bins. Note that this is in essence a "normalized histogram" since the elements sum to one. This set depends 
on k although we suppress this notation. For the remainder of this paper we consider the output space Z to be the 
same as the input space (i.e., a normalized histogram). 

Now we give a concrete example of a Q n which achieves differential privacy. Define zj — 8j + 2Lj/(na) where 
Li, . . . , Lfc are independent draws from a Laplace distribution with mean zero and rate one. Then (z±, . . . , Zfc) 
satisfy DP (see e.g., [8]). However, the Zi themselves do not represent a histogram, because they can be negative 
and they do not necessarily sum to one. Hence we may take, for example: 

5(z) = argminp- 9\U (2) 

where we use the £\ norm: ||x||i = y\ \xj\. This procedure hence results in a valid histogram. Note that 5{z) 
satisfies the differential privacy, since each subset of values it may take clearly corresponds to a measurable subset 
of Since the differential privacy held for the real vector then it also holds for the projection (see e.g., [T6]). 
We will refer to this as the histogram perturbation method (see e.g., |16j). There are other methods for generating 
differentially private histograms, and our results below concern hold over a large subset of all the possible techniques 
available (to be made precise after proposition 3.2). Hence our results apply to more than the above concrete scheme. 

some papers, the definition is changed so that one sample is a strict subset of the other, having exactly one less element. Although 
this definition is perhaps slightly stronger, we do not use it and remark that the approaches we present below may all be fit into this 
framework if so desired. 

2 In this paper, k is taken as a given integer. The problem of choosing an optimal k in a private matter is the subject of future work. 
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3 Lower Bounds for Accuracy with Differential Privacy 

To motivate the need for relaxed versions of differential privacy, we consider here the accuracy of differentially 
private histograms. We evaluate a differentially private procedure in terms of its "risk" which is a natural measure 
of accuracy taken from statistics. We consider the l\ loss function, and the associated risk: 

R(0,Q n )= I \\e- 0||idQ n (£|0). (3) 



jo 

where 8 is the output of the differentially private algorithm, 8 is the input histogram, and the distribution Q n is 
the one induced by the randomized algorithm. Typically this risk will be a non-constant function of the parameter 
8 and of the distribution Q n . Therefore we consider the "minimax risk" which is the smallest achievable worst-case 
risk, and gives a measure of the hardness of the problem which does not depend on a particular choice of procedure: 

R* = ini sup R(9,Q n ) (4) 

We next describe the minimax risk of the best fully differentially private mechanism Q n . 
Proposition 3.1. 

k - I 

R > c 

an 

Proof. The proof uses a standard method for deriving minimax lower bounds in statistical estimation. Consider 
the k — 1- dimensional hypercube 



n 



oi e {0, f } } . 



Take 8,8', to be neighboring corners of this hypercube (namely two elements which differ in exactly one coor- 
dinate Ci). Take the KL divergence between the conditional distributions at these corners to be: 

KL(Q n {-\8)\\Q n {-\8'))= f \og Ci ^\dQ n {8\8) 

Je Qn{8\8') 

By considering a sequence of points corresponding to neighboring inputs, we find the ratio of densities to have the 
upper bound: ^" ffi e ^ < e aT since r elements of the input have to change to move from 8 to 8' and the ratio at each 

Q n (9\6') — 

step is bounded by e a . Therefore the KL divergence obeys KL {Q n {-\8)^Q n {-\8')) < ar. The "affinity" between 
the two distributions is: 



||<2n(-|0)AQ n (-|0')ll = / min{Q n (^),Q n (^')} 



, (18. 

e 

The Kullback-Csiszar-Kemperman inequality \17\ yields a lower bound on the affinity between these distribu- 
tions: 

far 



||Q n (-|0)AQ n (-|0')||>l 
Assouad's lemma (see [T7] again) thus gives the lower bound: 

B *>( t -i)i(i- 
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Taking r = t/a gives 

For a < 1 we may take £ < 1, which results in the parenthetical expression being positive. □ 

Remark 1. The previous result demonstrates that the minimax risk of the differentially private histogram is of the 
order O ( — ). 

\ an } 

Remark 2. Hardt and Talwar fldj/ have a similar result although their setting is somewhat different. In particular, 
they do not restrict to the space of histograms based on n observations. 

The above results demonstrates that for every differentially private scheme, there is at least one input for which 
the risk is growing in the order shown (in fact, at least one point in every hypercube of side length r/n). However 
the prospect exists that at many other inputs the risk is much lower. We now demonstrate that this is not the case 
when k — 2, by presenting a uniform lower bound for the risk among all minimax schemes. In the case of k = 2 
the output may be regarded as a single number " where a £ {0, . . . , n}, which gives the proportion of the data 
points in the first bin. Our result will show that in a sense, the minimax differential privacy schemes are similar to 
"equalizer rules" in the sense that the risk is on the same order for every input. 

Proposition 3.2. For k = 2 for any Q n which achieves sup e R(0, Q n ) < we have that infg R(0, Q n ) > 
Proof. Note that for any 0\ and c > cq, due to the uniform upper bound on the risk, Markov's inequality gives 

/ 1# - 0l\ < — } rfQn(^l) > 1 - 
Jz cm c 

Therefore, due to the constraint of differential privacy, we have that, for any #o, 

f l{\e-6 1 \<—}dQ n {6\e )> (l-^)exp{-^||0 o -0i||ii 
J z cm \ c I v I j 

Since §||#o — $i|| elements of the input change to move from #o to 0\. Therefore taking 9\ to give ||#o — = ^ 
gives 

i?(^o,Q„)> — (l--)e- c = — • 
an V c / an 

As 9q is arbitrary, this gives a uniform lower bound under the conditions above. □ 

For the relaxation of differential privacy given in definition 2.2 of [10] . the above result remains intact for large 
enough n. The relaxation is: 

Qn{z\X) < Q n (z\X')e a + n(n) 

where n(n) is negligible (i.e., tending to zero faster than any inverse polynomial in n). Thus via the same technique 
as above, we have 

R(0O, W > — ({!- ^)e- c - c 2V (n)) = Cl ~ ^ . 

an \ c ) an 

For large enough n this latter term is bounded from below by This indicates that the above relaxation of 
differential privacy will not be useful in achieving higher accuracy. 
For k > 2, we may write 

k 

R(e,Q n ) = J2 R i( 9 >Qn) 
i=i 
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With 



Ri(P,Q n ) = J \ti-6i\dQ n @\6), 

where the subscript means the i th coordinate. Thus, whenever we have that Ri < ~ uniformly over i, we have 

that R(6, S, Q n ) > Cl ^~ 1 ^ ■ Therefore the only opportunity to improve upon the rate of is when some 9 have 
some coordinate i at which the risk upper bound does not apply. 

We conclude by remarking that we have demonstrated, that for a certain class of differentially private algorithms 
which achieve the "minimax rate," their risk is uniformly lower bounded at the same rate. The rate in question 
is linear in k, which is problematic when k is large relative to n. It remains an open question whether there are 
different techniques which achieve the minimax rate, yet do not have this property. Such a technique would have 
to lose the uniform upper bound on the coordinate-wise risk. Below, we present a weakening of differential privacy, 
which admits release mechanisms, which both keep the uniform upper bound on the coordinate-wise risk, and also 
have a minimax risk which is growing only in the support of the histogram (namely, the number of cells which 
contain observations). 



4 Random Differential Privacy 

In random differential privacy (RDP) we view the data X = (Xi, . . . , X n ) as random draws from an unknown 
distribution P. This is certainly the case in statistical sampling and of course it is the usual assumption in most 
learning theory. Let us denote the observed values of the random variables X = (X\, . . . , X n ) by x — {x%, . . . , x n ). 
Recall that under DP, Q{Z € B\x±, . . . , x n ) is not strongly affected if we replace some value Xi with another value 
x\. We continue to restrict to the case in which, Q(Z £ B\x\, . . . , x n ) is invariant to permutations of {x%, . . . , x n ). 
Thus we may restate DP by saying that Q(Z £ B\xi, . . . , x n ) is not strongly affected if we replace x n by some other 
arbitrary value x' n . In RDP, we require instead that the distribution Q n (-\x\, . . . , x n ) is not strongly affected if we 
replace x n by some new x' n which is also randomly drawn from P. 

Definition 1 ((a, 7)-Random Differential Privacy). We say that a randomized algorithm Q n is (a, 7)- Randomly 
Differentially Private when: 



where 



X — (Xi, . . . , X n -i, X n ), X' — (X\, . . . , X n -i, X n+ i) 



(i.e., X oj X' ), and the probability is with respect to the n + 1-fold product measure P n+1 on the space X n+ , that 
is, Xi, . . . ,X n+ i ~ P. 

We also give the "random" analog of the (a, ^-Differential Privacy: 

Definition 2 ((a, rj, 7)-Random Differential Privacy). We say that a randomized algorithm Q n is (a, rj, 7) -Randomly 
Differentially Private when: 

P {MB C Z, Q n (Z G B\X) < e a Q n (Z e B\X') + r)(n)) > 1 - 7 

where 77 is negligible (i.e., decreasing faster than any inverse polynomial). 

We note that [12j also consider a probabilistic relaxation of DP. However, their relaxation is quite different than 
the one considered here. Namely, their relaxation bounds the probability that the differential privacy criteria is 
not met, but where the probability is taken with respect to the randomized algorithm itself. Our relaxation takes 
the probability with respect to the generation of the data itself. The following result is clear from the definition of 
random differential privacy. 
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Proposition 4.1. (a,j)-RDP is a strict relaxation of a-DP. That is, if Q n is DP then it is also RDP. However, 
there are RDP procedures that are not DP. 

Remark 3. Although an a-DP procedure fulfils the requirement of (a, 0)-RDP, the converse is not true. The reason 
is that the latter requires that the condition (that the ratio of densities be bounded) holds almost everywhere with 
respect to the unknown measure, whereas DP require that this condition holds uniformly everywhere in the space. 

We next show an important property of the definition, namely, that RDP algorithms may be composed to give 
other RDP algorithms with different constants. The analogous composition property for DP was considered to be 
important because it allowed rapid development of techniques which release multiple statistics, as well as techniques 
which allow interactive access to the data. 

Proposition 4.2 (Composition). Suppose Q,Q' are distributions over Z,Z' which are {a,^)-RDP and (a', 7')- 
RDP respectively. The following distribution C over ZxZ' is (a + a' , 7 + "f')-RDP: 



This result is simply an application of the union bound combined with the standard composition property of 
differential privacy. As an example, suppose it is required to release k different statistics of some data sample. If 
each one is released via a (a/k, 7/fc)-RDP procedure, then the overall release of all k statistics together achieves 
(a,7)-RDP. A similar result holds for the composition of (a, 5, 7)-RDP releases. 

5 RDP Sparse Histograms 

We first give a technique for the release of a histogram which works well in the case of a sparse histogram, and 
which satisfies the (a, 7)-Random Differential Privacy. We then compare the accuracy of this method to a lower 
bound on the accuracy of a a-Differentially Private approach. 

The basic idea is to not add any noise to cells with low counts. This results in partitioning the space into two 
blocks and releasing a noise-free histogram in one block, and use a differentially private histogram in the other. The 
partition will depend on the data itself. For a sample x\, . . . ,x n , we denote: S — S(x\, . . . , x n ) = { j : 9j = 0} . 
Then we consider the release mechanism: 



Proposition 5.1. The random vector Z — [z\, ■ ■ ■ ,Zk) as defined in £5]j satisfies the (a,j)-RDP. 

In demonstrating RDP, we take the sample x%, . . . , x n , x n +\ and denote: S — S(x\, . . . , x n ) and S" = S(x\, . . . , x n -\, x n +\). 
We consider the output distribution of our method when applied to each of the neighboring samples. The event 
that the ratio of densities fail to meet the requisite bound is a subset of the event where either x n +\ G S or x n £ S", 
and when 2k < 771. In the complement of this event then the partitions are the same, and the differing samples 
both fall within the block which receives the Laplace noise, so the DP condition is achieved. In demonstrating the 
RDP, we simply bound the probability of the aforementioned event, conditional on the order statistics. 



Proof of proposition 5.1. In the interest of space let the vector of order statistics be denoted T = (xm, . . . , Xf n +±)). 
Let S*(xi, . . . , x n , x n+ \) = < j ; J^^i ^-{ x % = J } < 1 ? • We have that S, S' C S*. We thus have 



The latter probability is just the fraction of ways in which the order statistics may be rearranged so that x n , x n+ i 
fall within S* . Due to the condition 2k < ^yn, we have \S*\ < k < Therefore the number of rearrangements 



C{Z, Z'\X) = Q(Z\X)-Q'{Z'\X). 




(5) 



P(x„ £ S' or x n+1 e S\T) < F(x n e S* or x n+1 e S*\T). 
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having at least one of x n or x n+ \ in S* is bounded above 



' (x n G S* or z„ +1 G S*\T) < < 7 - 

n + 1 



Therefore 



P(jc n G S" or x n+1 eS)< I ¥{x n G 5' or x„+i G S\T)dP{T) leq [ F(x n € S* or x n+1 G S*\T)dP{T) 
< 7 / dP(T) 
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Finally: 



VZC2,e- a < q"^ 1 ^ < e Q ) = 1 - :(.<•„ G V or , G .V) 



> 1 - 7. 

□ 



5.1 Accuracy 

Here we show that S(z) from ^ is close to 8 even when the histogram is sparse. 

Theorem 5.2. Suppose that 2k < jn. Let n (x\ 1 . . . ,x n ) — ■ ■ ■ , 6 rf 0, . . . , 0) for some 1 < r < k. Then 
1161-5(2)11! =0 P (r/an). 

Proof. Let Li, . . . ,L r ~ Laplace. Let £ be the event that Lj > —^Oj for all 1 < j < r. Then £ holds, except 
on a set of exponentially small probability. Suppose £ holds. Let W = Y^j=i^ J 3 = Op(r). For 1 < j < r, 

z.j = \ 6j + (2L j )/(na)^j For j > r, Zj = Oj = 0. Hence \\z - 9\\i = P {r/an). Furthermore \\8(z) - z\\i < < ^ 
Hence via the triangle inequality we have, \\S(z) — 9\\i = Op(r /an). □ 

We thus have a technique for which the risk is uniformly bounded above by 0(k/an) as with the DP technique, 
and which also enjoys the coordinate-wise upper bound on the risk. However in this regime, the risk is no longer 
uniformly lower bounded with a rate linear in k, since the upper bound is linear in r in the case of sparse vectors. 

6 RDP via Sensitivity Analysis 

We next demonstrate that RDP allows schemes for release of other kinds of statistics (besides histograms). A com- 
mon technique used to establish a differentially private technique is to use Laplace noise with variance proportional 
to the "global sensitivity" of the function [BJ. We show that there is an analog of this technique for RDP. We next 
demonstrate a method for the RDP release of an arbitrary function g n (xi, . . . , x n ) G K. 
We consider the algorithm which samples the distribution 

n i 1 \ ( -a\z-g n (x 1 ,...,x n )\\ 

Q n (z\xi, . . . ,x n ) (x exp < r ^ (6) 

^ Sn \X% , . . . , X n J J 

It is well known that when s n is the constant function which gives an upper bound of the global sensitivity [5] 
of g n , this method enjoys the a-DP. As we allow s n to depend on the data we may make use of the local sensitivity 
framework of 1141. There it is demonstrated that whenever: 
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VX ~ X' s n (X) < e f3 s n (X') (7) 

and 



VX sup \g n (X) - g n (X')\ < s n (X) (8) 

X'~X 



then ([6]) gives (2a, ?7)-DP with: 



rj = e ^ (9) 

(see |14) definition 2.1, lemma 2.5 and example 3). In moving from DP to RDP we may now require that conditions 
^ and ^ hold only with the requisite probability 1 — 7. Then ^ will achieve (2a, 77, 7)-RDP. 
We consider a special subset of functions for which: 

sup \g n (X) - g n (X')\ = rT 1 sup h(x, x'). 

X~X' x,x' 

Examples of functions satisfying this property are e.g., statistical point estimators |15j and regularized logistic 
regression estimates [3] . In particular in these cases it is assumed that X is some compact subset of M. d and then 
e.g., sup x , h(x, x') = \\x — x'\\2 gives the diameter of this set. 
We replace conditions (m) and ^ with: 

P(s n (X)<e s n (X')) >l- 7 i (10) 

and 

P(n- 1 h(x 1 x l ) < mm{s n (X),s n (X')}) > l- 72 . (11) 

Note that x,x' are random draws from P which are independent of the random vectors X, X' . The first condition 
simply requires Q, to hold except on a set of measure 71. The second condition implies that both s n (X) and 
Sn(X') give upper bounds to the local sensitivity, except on a set of measure 72. Putting these together along with 
the above considerations will yield a (2a, 77, 71 + 72)-RDP method. We note that we are essentially asking that 
s n (X) and s n (X') both give valid quantiles for the random variable h(x, x'), and that they give similar values with 
high probability. 

We consider the empirical process based on h and the data sample X given by: 

2 " /2 

D(X, t) = -J2 1 x *+«/2) < *} 

i=l 

This is exactly an empirical CDF for the distribution of h(x, x'), based on n/2 independent samples of h(x, x'). We 
may anticipate that sample quantiles of this empirical CDF will be close to the quantiles from the true CDF, which 
we denote by H(t) = P(h < t). This is made precise by the DKW inequality (see e.g., [T3]), which in this case 
yields: 

p(sup\H(t)-D(X,t)\>(^ <2e~ nt \ (12) 

Thus taking dg(X) to be the smallest d with D(X,d) = 1 — 5, and hs< to give the 1 — 8' quantile of h, with 
8 < 8' , we have: 

P(h(x,x') > d s ) < 8' + P(d s (X) < h s <) 
< 8' + 2e- ( - s '- s)2n . 
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The second inequality comes from applying the monotone function D(X, •) to both sides of the inequality 
statement in the probability, and then rearranging, to yield P (D(X,hs>) — H(hg') > (5' — 5)) which is bounded 
due to the DKW inequality (12). Thus for some appropriate choice of 8,5' we may take s n (X) — n~ 1 ds(X), and 
thus achieve (11). 



Now to achieve (10) we turn to the Bahadur-Kiefer representation of sample quantiles (see [H]). We have that: 

where H' is the derivative of H (namely the density) . Hence we concentrate on the case when ft, is a continuous 
random variable. We find the ratio to be bounded in probability: 

d 5 (X) < i \d s (X) - d s (X')\ = 1 , O p (n-^) 



ds(X>) ~ d s (X>) h s + O p (n-V 2 ) 

where the final equality stems from using DKW to bound the D(X, hs) — H(h$) and along with the triangle 
inequality to bound \D(X. hs) — D(X' ', hs)\- This therefore demonstrates that: 

|gi<i + o p( „--) = o p < e «-''-> 

This means that for large enough n, and some probability 1 — 72, the ratio is bounded by e@ where /3 is polynomial 
in n^ 1 / 2 . Examining ^ we find 77 to be negligible for such a choice of /3. Therefore the use of s n (X) — nT 1 d$ 
achieves the RDP as required. 

We note that in principle this same approach would work, were we to replace D(X, t) with the U-statistic 
process: 

U(X,t) = -4-^l{/i(^,^)<t}. 

Though this is essentially another empirical CDF, it is based on non-independent samples since each Xi partici- 
pates in n — 1 of the evaluations of h. Nevertheless an analog of the DKW inequality still applies to this process, 
and we still have the same behavior of the quantiles (see e.g., Q]). 



7 Privacy Concerns 

As stated above, we mainly use random differential privacy as a vehicle for a theoretical exploration of the boundaries 
of differential privacy. Although it is a conceptually reasonable weakening of differential privacy, whether it is 
appropriate to use in practice requires more attention. For example, if the hypothesized adversary (of e.g., |16j 
theorem 2.4), really had access to a subset of n — 1 of the data, and the one remaining element was the only 
inhabitant of its histogram cell, then this would be immediately revealed to the adversary. Whether this is a critical 
problem depends on the application. 



8 Example 



We present two examples in which the RDP technique and the DP techniques are compared on synthetic histogram 
data. In the first example the histogram has k = 25 bins, all but two of which are empty and n = 500 points fall 
in to the other two. Figure 1(a) shows the original data as well as the sanitized data due to differential privacy 



and RDP. Figure 1(b) shows the distribution of Li loss from 100 simulations of both approaches. We see that the 
risk of the RDP histogram is typically much lower than that of the DP histogram, which occasionally has risk in 
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(a) Original and synthetic data for DP (top) and (b) Empirical error distribution for DP (top) and RDP 
RDP (bottom) (bottom) 



Figure 1: A one dimensional example. 



excess of 0.5 (recall that the maximum possible loss is 2 in the case that the original and sanitized histograms had 
completely disjoint support). 

We present an analogous two dimensional example in figure [2j Here the histogram has k = 400 bins in which all 
but 16 are empty. In this example we see that the RDP technique has uniformly better loss than the DP technique. 

9 Conclusion 

We have introduced a relaxed version of differential privacy — random differential privacy — shown how to apply 
it to histograms and examined the accuracy of the resulting method. We also demonstrated some properties of 
our definition, and explained a basic construction for release of arbitrary functions of the data. As we mentioned 
in the introduction, we are not suggesting that differential privacy should be abandoned and replaced by random 
differential privacy. However, we do think it is fruitful to consider various relaxations of differential privacy to gain 
a deeper understanding of the tradeoffs between the strength of the privacy guarantee and the accuracy of the data 
release mechanism. 

In ongoing work we are extending this work to allow for data dependent choices of the number of bins and 
to allow for other density estimators besides histograms. We are also considering other relaxations of differential 
privacy. We will report on these results in future work. 
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